b'     NATIONAL CREDIT UNION ADMINISTRATION\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                              SAP\n                      Security and Control\n                            Review\n                     Report #OIG-01-01         March 15, 2001\n\n\n\n\n                                    Frank Thomas\n                                  Inspector General\n\n\n\n            Released by:                                  Auditor in Charge:\n        William A. DeSarno                                 Tammy F. Rapp\nAssistant Inspector General for Audits                    Senior IT Auditor\n\x0c                                 EXECUTIVE SUMMARY\nWe performed a review of the National Credit Union Administration\xe2\x80\x99s (NCUA) financial\nsystem, SAP R/3 (SAP). SAP is used by NCUA to primarily perform online payment and\naccounting of agency financial transactions. The purpose of our review was to assess controls\nand recommend corrections for any deficiencies. We contracted with KPMG LLP to provide\ntechnical assistance. Our review was performed from June through September 2000, and our\nobservations were presented during an exit briefing at the conc lusion of fieldwork. We applaud\nNCUA for their sincere efforts and the many positive steps they have taken to address the\nweaknesses identified during this review.\n\nOur specific objectives were to determine whether the controls were adequate to reduce the risks\nto an acceptable level for SAP\xe2\x80\x99s Basis and the Financial Accounting, Controlling, and\nPurchasing modules. In addition, we identified the current functionality of the Human Resources\nmodule and performed an overall high- level risk assessment.\n\nOur review identified several internal control weaknesses in the SAP security configuration.\nBecause SAP is utilized to process financial accounting information including Purchasing,\nAccounts Payable, Accounts Receivable, General Ledger and Human Resources, security\nbreaches in this area could lead to unauthorized, undetected access to confidential financial and\nemployee data. The most significant findings were:\n\n\xe2\x80\xa2   Duties within the purchasing process have not been adequately segregated. As a result,\n    personne l could possibly gain control of the entire purchasing cycle, resulting in errors,\n    irregularities or fraud.\n\n\xe2\x80\xa2   A large number of users have been granted inappropriate authorities in the Financial\n    Accounting and Controlling modules.\n\nWe believe the National Credit Union Administration (NCUA) should take immediate action to\nconduct a thorough review of user access in order to ensure that user access is appropriately\nrestricted and that incompatible duties are segregated. If, due to organizational structure and\nbusiness need, duties cannot be segregated, management should implement compensating\ncontrols such as periodic review of management reports.\n\nThese issues and the associated recommendations are discussed in detail in the attached report.\nIssues and recommendations included in this report have been assigned a risk rating of High,\nMedium, or Low. These risk ratings are based upon established professional control guidelines\nand KPMG\xe2\x80\x99s in-depth experience in evaluating controls in SAP and other business software\napplications.\n\nNCUA\xe2\x80\x99s consolidated response to the 42 recommendations has been extremely positive. NCUA\nhas either implemented or agreed to implement all but one of the report\xe2\x80\x99s original 43\nrecommendations. The OIG agreed with NCUA\xe2\x80\x99s comment on this one low risk issue and has\nretracted this recommendation from the final report. NCUA partially agreed with our\n\n\n\n                                                  1\n\x0crecommendation concerning segregation of duties because NCUA is a small agency with only a\nfew individuals capable of performing certain dut ies within any given office. We understand\nNCUA\xe2\x80\x99s concern and believe that compensating controls can be established to balance the risk.\n\nPlease note the content of this report is restricted to official use only in order to protect the\nsensitive nature of the specific control weaknesses identified.\n\n\n\n\n                                                   2\n\x0c'